[Snort-sigs] Propose retire of SID 5320

evilghost at ...3397... evilghost at ...3397...
Tue Jan 5 14:40:35 EST 2010

Hello, SID 5320 (virus.rules) is a high cost rule and the singular 
uricontent match on a forward slash doesn't do much to reduce the load 
on the PCRE engine.  The PCRE appears to consist of multiple OR matches 
and is costly.  Since this rule is ancient, I would imagine retiring it 
would be wise.  Sober could be used as the new EICAR like "Blaster" and 
"Slammer".  This rule is enabled by default.  Your thoughts/input welcome.

This rule is a high cost rule, as discovered by profiling, against a 
high volume Snort process BPF'd and flow-pinned to inspect HTTP traffic.

Finally, if you wish to keep the rule may I suggest splitting it into 
separate rules with a precise uricontent match, PCRE if necessary, and 
perhaps an HTTP method as well?


More information about the Snort-sigs mailing list